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IDA  Data  to  Decisions — Terminate,  Tolerate,  Transfer,  or  Treat 


The  Department  of  Defense  (DoD)  is  increasingly 
concerned  that  the  loss  of  sensitive  data  to  our  adver¬ 
saries  is  eroding  the  competitive  advantage  of  the 
United  States.  This  sensitive  data  includes  business 
proprietary  information  on  key  programs  of  record 
and  infrastructure,  including  government  documents 
at  the  Federal  and  State  levels  that  describe  gaps  in 
and  limitations  of  our  national  assets.  This  loss  of  da¬ 
ta  compromises  the  effectiveness  of  our  readiness  for 
defense  of  the  nation,  and  it  minimizes  the  invest¬ 
ments  we  have  made  to  build  advantages  into  our  of¬ 
fensive  and  defensive  capabilities — needed  for  pro¬ 
tection  in  the  event  of  an  attack.  The  customary  kinet¬ 
ic  thin  line,  a  basic  level  of  survivability  and  resilien¬ 
cy  to  protect  our  most  critical  assets  at  the  Federal 
level,  may  not  be  broad  enough  to  include  the  full 
scope  of  issues  that  arise  as  adversaries  seek  to  com¬ 
promise  our  key  defenses  and  national  physical  assets 
through  breaches  of  our  networks  and  other  electroni¬ 
cally  initiated  means. 

For  these  reasons,  the  DoD  Office  of  the  Chief  In¬ 
formation  Officer  (CIO)  is  beginning  to  share 
knowledge  and  create  templates  that  the  States  and 
territories  can  leverage  nationally.  The  Institute  for 
Defense  Analyses  (IDA)  assisted  the  DoD  CIO  in 
formalizing  a  proof  of  concept  for  cyber  initiatives 
and  developed  frameworks  for  operationalizing  the 
data  and  intelligence  produced  across  State  structures 
and  organizations.  While  States  are  pursu¬ 
ing  the  resolution  of  cyber  issues  across 
many  fronts,  a  significant  gap  remains  be¬ 
tween  the  ability  to  gather  and  share  infor¬ 
mation  and  intelligence  and  the  mitigation 
of  breaches  that  have  already  occurred. 

In  lieu  of  a  compliance-based  cybersecurity 
model  focused  on  the  state  of  networks, 
malware,  and  patching,  a  risk-based  cyber¬ 
security  decision  model  that  enables  a  pre¬ 
dictive  capability  to  respond  to  impending 
cyber-attacks  is  needed.  Operationalizing 
the  analysis  of  data,  information,  and  intel¬ 
ligence  from  disparate  sources  across  mul¬ 
tiple  service  sectors  to  provide  a  common 
operating  picture  and  decision  framework 
for  State  governments,  law  enforcement, 
emergency  services,  the  Department  of 


Homeland  Security,  the  National  Guard,  industry, 
international  stakeholder  “partners,”  and  others  must 
begin  now. 

Data  to  Decision.  If  an  adversary  has  the  technolo¬ 
gy  or  capability  to  do  harm,  then  an  incentive  (desire 
to  invest  time,  resources)  to  use  the  technolo¬ 
gy/capability  is  required  to  effect  plausibility  of  a 
cyber  incident.  That  is,  even  if  an  adversary  has  the 
means  to  do  harm,  there  may  not  be  an  incentive  to 
do  so.  Determining  the  appropriate  investment  neces¬ 
sary  to  address  high  priority  impact  events  is  a  key 
consideration  given  fiscal  constraints,  and  plausibility 
includes  both  the  technology  involved  and  the  motive 
to  use  it. 

The  framework  below  provides  context  and  a  com¬ 
mon  understanding  for  cyber  decision-making  to  help 
Federal  and  State  leaders  operationalize  intelligence 
and  information: 

1 .  Generate  visualization  -  Geospatial  representation 
is  important  to  consider  when  dealing  with  ac¬ 
tors — but  it  can  be  misleading.  Hackers  for  hire 
and  other  third-party  actors  may  be  state- 
sponsored  and  not  physically  located  at  the  origi¬ 
nation  point  of  the  attack.  Although  the  association 
of  location  to  content  may  be  manipulated,  every 
actor  has  signatures  that  machines  can  identify. 

2.  Generate  temporal  representation  of  actors  -  In 
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cyberspace,  time  is  both  relevant  and  irrelevant.  It 
is  irrelevant  because  incidents  only  occur  when 
there  is  a  congruence  of  sufficient  intent  and  capa¬ 
bility  (i.e.,  Bash  was  a  vulnerability  for  over  twen¬ 
ty  years  but  only  became  relevant  when  hackers 
sought  to  exploit  it).  However,  domestic  and  inter¬ 
national  triggers/hooks  (i.e.,  lifting  sanctions, 
which  puts  more  funding  into  play  to  hire  third- 
party  actors  to  commit  cyber-attacks)  may  be  an 
indicator  (forcing  function)  in  predicting  an  attack. 
The  ability  to  anticipate/control  the  progression  of 
events  to  maximize  the  opportunity  to  observe  the 
adversary  and  know  the  time  when  they  are  most 
prepared  to  act  is  critical. 

3.  Associate  Organizations  with  Actors,  Relation¬ 
ships,  Technologies/Capabilities  -  Not  all  cyber 
risk  is  high-impact.  Intent  and  capabilities  should 
put  these  in  the  context  of  a  wider  knowledge  of 
actors  and  relationships  (i.e.,  nation-states,  corpo¬ 
rate  states,  and  criminal  organizations)  to  improve 
insight  into  the  threat. 

4.  Associate  Content  with  Prioritized  and  Future 
Mission  Capabilities  -  National  assets  should  be 
prioritized  based  on  their  potential  impact  on  our 
nation.  Responses  to  threats  or  data  losses  should 
be  weighed  in  the  context  of  their  importance  to 
the  overall  mission  outcome. 

5.  Utilize  Knowledgebase  Repository  for  Event  Ana¬ 


lytics  -  Federal  and  State  governments  should  ex¬ 
pand  their  sources  of  information  to  include  inter¬ 
national  actors,  non-state  actors,  event  histories, 
social  media,  and  episodic  behaviors.  These 
sources  could  assist  in  contextualizing  and  filling 
gaps  in  knowledge.  The  United  States  should 
begin  to  leverage  non-traditional  data  sources  to 
better  protect  and  defend  against  cyber  intrusions 
and  attacks. 

6.  Share  Situational  Awareness  and  Situational  Agili¬ 
ty  -  Awareness  is  important,  but  alone,  it  is  not 
enough.  The  accelerated  nature  of  many  cyber¬ 
attacks  requires  a  readiness  to  act  and  commitment 
to  a  rapid  response  with  already  established  trusted 
systems  and  communities  of  interest. 

7.  Governance  and  Oversight  -  As  Federal  and  State 
governments  seek  to  develop  and  expand  automat¬ 
ed  courses  of  actions  and  thresholds,  the  global 
community  is  a  key  resource  in  developing  a  better 
understanding  of  the  cyber  risk  (i.e.,  agreements 
across  shared  borders  with  Canada  and  the  Soo 
Locks  in  the  State  of  Michigan). 

The  Decision  to  Terminate,  Tolerate,  Transfer, 
or  Treat  Risk.  A  cyber  vulnerabilities  risk  manage¬ 
ment  approach  should  offer  decision  makers  several 
choices  when  assets  are  assessed  as  being  vulnerable 
to  or  experiencing  cyber  exploitation.  Rather  than 
simply  accepting  risk  or  invest¬ 
ing  in  a  mitigation  action,  using 
a  framework  based  on  the 
choices  of  Terminate,  Tolerate, 
Transfer,  and  Treat  is  more  ap¬ 
propriate  for  managing  the  dy¬ 
namic  and  accelerating  pace  of 
cyber  intrusion  incidents.  These 
choices  present  both  opportuni¬ 
ties  and  consequences. 

The  framework  ensures  that  a 
decision  maker  is  not  limited  to 
the  more  traditional  yes/no  and 
if/then/else  decision  construct 
to  afford  a  deeper  understand¬ 
ing  of  what  could  be  gained  or 
lost.  The  framework  applies 
equally  well  to  early  invest- 
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ments  and  fully  operational  systems.  Specific  consid¬ 
erations  for  fully  operational  systems  include  the  fol¬ 
lowing. 

Terminate  -  Opportunities  and  Consequences: 

•  Terminating  a  capability/technology  may  notify 
the  adversary  that  he  is  DISCOVERED. 

•  There  is  no  longer  an  opportunity  to  observe  ad¬ 
versary  targets  and  techniques. 

•  Although  the  incident  is  no  longer  a  degradation 
to  the  system  or  environment,  the  capabil¬ 
ity/technology  is  lost  and  may  have  to  be  replaced 
if  there  are  no  substitutes. 

Tolerate  -  Opportunities  and  Consequences: 

•  Avoids  investment  in  lesser  priorities  deemed  low 
impact. 

•  Allows  time  to  develop  a  more  informed  under¬ 
standing  of  the  adversary  and  defend  against  fu¬ 
ture  attacks  afforded  by  the  opportunity  to  ob¬ 
serve. 

•  However,  observation  takes  time  and  resources. 

•  Degradation  of  current  capability  continues. 


Transfer  -  Opportunities  and  Consequences: 

•  Requires  a  surgical  knowledge  of  what  alterna¬ 
tives  are  technically  available  and  what  is  feasi¬ 
ble. 

•  Funding  and  other  resources  may  be  required. 

•  May  need  cooperation  and  collaboration  from 
stakeholders  (sometimes  difficult  to  coordinate) 
outside  an  organization  or  country. 

•  Time  is  needed  for  correction,  socialization,  and 
application  of  solution. 

•  May  afford  an  opportunity  to  promote  a  solution 
from  a  singular  platform  to  an  enterprise-level 
application. 

Treat  -  Opportunities  and  Consequences: 

•  Time  and  funding  are  required  to  treat  and  miti¬ 
gate  a  risk. 

•  Know-how  or  knowledge  is  required  that  may  not 
be  contained  in  the  original  solution. 

•  There  may  be  an  opportunity  to  manipulate  or 
create  a  false  provenance  or  misinform  the  adver¬ 
sary  (i.e.,  in  cases  of  exfiltration). 

•  New  opportunity  to  build  in  defensive  design. 
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A  decision  to  terminate, 
tolerate,  transfer,  or  treat 
risk  must  include  at  a  min¬ 
imum:  (1)  what  is  known 
about  (intelligence)  the 
adversaries’  current  capa¬ 
bilities,  (2)  the  incentive  of 
the  adversary  to  use  those 
capabilities  against  a  target 
of  importance,  and  (3)  an 
assessment  of  the  impact 
level  of  the  asset  (priority 
to  the  organization). 

Note:  This  paper  is  a  com¬ 
panion  document  to  IDA 
publication  number  NS  D- 
8008,  A  State  Cyber  Hub 
Operations  Framework , 
dated  June  2016,  approved 
for  public  release; 
unlimited  distribution. 
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